Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-41270: SMOLD TV: Old & Smart

Improper Restriction of Excessive Authentication Attempts vulnerability in Samsung Smart TV UE40D7000 version T-GAPDEUC-1033.2 and before allows attackers to cause a denial of service via WPS attack tools.

CVE
#vulnerability#ios#android#mac#windows#google#microsoft#linux#dos#git#wordpress#intel#perl#pdf#samsung#auth#wifi
  • 1. SMOLD TV: Old & Smart Gerard Fuguet ([email protected]) Abstract The life cycle of an object is finite, doesn’t last forever, have an expiration date but most of the times is unknown… The old concept of buying is to have a strong principle of durability but, human forgets that the material almost always has another replacement for the same thing or other with similar functionalities. The type of item we will cover in this white paper is about a Smart TV, a quite old model one from 2011 epoch but, still works almost the first day it was bought. We found a vulnerability that affects to the viewing/emission of a viewer/spectator/audience producing a denying of their service (DoS). We will demonstrate things like these TV’s deserves “a second life“. Vendors would desire bring support to it, covering these errors avoiding the planned obsolescence (without focus on the “death of the item”) in order to protect from all types of nowadays cyberattacks. 1

  • 2. Table of Contents 1. Motivation…3 2. SWL [Samsung Wireless Link]…3 2.1. Wireless Spores…4 2.2. Air Dress Code…7 2.2.1. Windows WPS to WPA/2…9 2.2.2. Linux WPS to WPA/2…12 2.3. Host offerings to Guests…15 3. D o S Attack…16 3.1. (pixied) Bully…18 3.1.1. Videometer…19 3.1.2. PostMortem…20 3.2. (bits) Reaver…23 3.2.1. Time Thief…24 4. Conclusions…26 5. References…29 2

  • 3. 1. Motivation On a typical standard day of my life, I was watching my Smart TV when suddenly rebooted without any previous notice. At this moment, my thoughts were about has not enough hardware resources like RAM, CPU or other related errors, because perhaps the TV was very old and electronic components started to degrade. I had the SWL (Samsung Wireless Link) [1] by mistake activated because I were doing some “pen-tests” and inventory tasks. Figure 1: SWL (Samsung Wireless Link) option on Menu Settings I felt some concern so decided to do research about the vulnerabilities this Smart TV has. Found one affecting to the SWL component when is activated, generating a Wi-Fi Access Point [2] [3]. Normally, when someone found a vulnerability and shares publicly, an identification number is created to identify properly. In this case, there is no CVE ID assigned but, there is a VulDB (strange/odd because VulDB cooperates with Mitre and the corresponding CNA). The security researchers [2] [3] said using the reaver tool [4] (an WPS auditor toolkit) was able to break the WPA2 password in a few seconds (default pin was all zeroes according to the researcher’s tests). TV uses WPS mechanism to establish the connection with the client using the PBC (Push Button Configuration) [5] method. Decided to try replicate to see if the TV gained the “enough intelligent” to be protected against these bad situations. We will talk later about the problem we found. 2. SWL [Samsung Wireless Link] Is the given name for the HotSpot/AccessPoint functionality of the TV to let devices share content through this “hotline”. Smart TV offers it too when there is no infrastructure mode (meaning TV is not connected to a network) so devices cannot be added to the same network or, TV is in contact with a network through Ethernet but Wi- Fi devices don’t want establish a connection through an AP that not belongs to the TV infrastructure for several reasons. 3

  • 4. This function seems reside in OFF mode with the help of last firmwares updates in order to not to disturb with their powerful/strong signal [6] and to protect your network against unwanted intruders [3]. Of course, we are always curious about the way it is build and decide to check it out, you can turn it ON through the remote control easily following the steps below: Menu - Network - SWL(Samsung Wireless Link) - SWL(Samsung Wireless Link) – Activate Note: I operated with these commands under Spanish TV language. Some word action may differ. 2.1. Wireless Spores When you want to connect to a wireless network, what is the first thing you looking for, their SSID name or the emitting power? Probable has more sense figure out on the power of their emission because we don’t know about their name, it doesn’t show on any place of the process but has a name, and this Wi-Fi is not hidden. It shows as: SEC_LinkShare_XXXXXX Where “X” represents the last 6 digits of the MAC of the… Wi-Fi interface? No, about the Ethernet interface. If using a nowadays Windows 10, you will be aware about the PBC (Push Button Configuration) function because it supports WPS. 4

  • 5. Figure 2: Windows 10 Wireless Manager aware about WPS options Note: Words in the above figure 2 are in Spanish. Near the “writing the security wireless key”, it says; “You can also connect by pushing the button on the router.” Is well noted that this message is universal/global when it detects PBC as config, and when this option appears, WPS is implicitly imposed. More detailed information can be retrieved if you use other tools like airodump-ng from aircrack-ng suite (having a compatible wireless card supporting monitor mode) as seen in the following figure: Figure 3: Kali Linux: WPS available options under airodump-ng Modern version support WPS detailed info, showing it in their respective column (at right, between AUTH and ESSID). Just need to insert the argument –wps in command. It notifies the version and then the types that are LAB and PBC. The theory says LAB is a label where PIN code (8 digit) is notated and PBC means the button style configuration (in the TV case, this is by software, triggered through the menu). Channel is operating in number 11 here, but further investigation tells us can be switched to the number 1, so can be different on each reboot (no other channels observed). We can also save the capture directly through airodump-ng putting --write like this: airodump-ng --write capture --beacons --channel 11 wlan0mon (Where beacons mean record all the beacons instead of only save one). Or do the record into the Wireshark (prefixing the channel selection before in order to stay sure we are sniffing the correct one) for a post observation on the packets using the favorite reader (of course, we are talking about Wireshark! Plus, you will record including the radio header!!). The packets we are expect, need to be Probe Responses or Beacon Frames in the moment the TV “pushed the button”. Normal/Standard Beacon Frames don’t deliver the configuration WPS methods (if no station does Probe Requests). A Wi-Fi capture take lot of unwanted packets, this forces to implement a good display filter of what is needed. We took the following (short as possible): wlan.ta == e4:e0:c5:xx:xx:xx && (wlan.ra == 00:27:10:xx:xx:xx || wlan.ra == ff:ff:ff:ff:ff:ff) && (wps.config_methods || wps.selected_registrar_config_methods) “What the hell” means this? Well, going to explain each part of display filter: 5

  • 6. wlan.ta → Is the transmitted/origin MAC address of the TV which, is their responsibility to inform about what it offering to others by the air. wlan.ra → Is the receive/destination MAC address of the client who receives the information provided by TV. This can be the broadcast address too when TV is offering to all (Beacon Frames). wps.config_methods → Available WPS methods, shown in a Probe Response wps.selected_registrar_config_methods → Show the methods at the time AP act as registrar (it pushes the button) so the Probe Response packet is more longer in size. The Beacon Frames also appear here indicating that AP is ready to pair. And… how the parenthesis works in filter? I remember those math classes in school that seemed to be of no use but in real life, definitively has lot of sense! This is the same as putting it (the long way, still functional): (wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == 00:27:10:xx:xx:xx && wps.config_methods) || (wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == ff:ff:ff:ff:ff:ff && wps.config_methods) || (wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == 00:27:10:xx:xx:xx && wps.selected_registrar_config_methods) || (wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == ff:ff:ff:ff:ff:ff && wps.selected_registrar_config_methods) Let’s see now a comparison between 2 Beacon Frames packets and then, between 2 Probe Responses when they are under non pairable mode and ready to pair. Figure 4: Beacon Frame comparison: rest mode (left) and pairable PBC mode (right) Starting with Beacon Frames comparison; First difference is the length of the packet when is under rest/standard mode, has 254 bytes vs 271 of the Beacon Frame when it is ready to pair, the packet increases in 17 more bytes (271-254) adding 3 more parameters in tag as can be shown in above figure. 6

  • 7. Figure 5: Probe Response comparison: rest mode (left) and pairable PBC mode (right) Continuing with Probe Responses comparison; The incremental on size is still 17 bytes (364-347) and it adds same 3 more packets added in Tag: vendor Specific: Microsoft Corp.: WPS but not after the last tag, in that case is between Wifi Protected Setup State: Configured (0x02) and Response Type: AP (0x03) If the goal of client is only needed to know the rest of WPS modes, it doesn’t need to interact in case of AP is ready to pair (only wait to capture for a Beacon Frame is more than enough) or wait until get a Probe Response that does not belong to client whose is interested in. 2.2. Air Dress Code There are places like: special events, restaurants, etc. that demands some requirements for their access. One type of term used for this is the dress code and consist of bring a proper wearing to attend. In the case to connect to the AP, need some similar requirement like the case of the dress code type. For example, for an Android in order to have the minimum requirements, need to be a compatible version because WPS was deprecated in Android 9 [7] or you can use other compatible devices having Windows 10 as OS for example to get luck in the connection. For start the connection, the first steps to implement are through the TV, need enable the compatible WPS AP to allow clients to connect; - Step 1: Enable SWL. The status by default, is OFF (can be seen at chapter 1.) need to follow the steps at the end of the chapter 2 to put it ON. The result is shown in next figure. 7

  • 8. Figure 6: SWL (Samsung Wireless Link) activation of the AP - Step 2: Pair PBC mode. Interface is enabled but WPA2 password is not known (yet) so… There is only one path to bonding with AP and is initiating the connection pushing the button; Conexión SWL (in English, Connection SWL). Figure 7: SWL (Samsung Wireless Link) pairing PBC mode A pop up with a 120 second countdown appears. Is the time any device with WPS support must establish a connection against the TV. This simulate the PBC mechanism (can be physically or virtual, this is a virtual case). The PBC could have been done before in client instead of the screen (The Walk Time interval or countdown is still valid within these seconds). We are going to see how is doing through Windows and Linux respectively within this time. 8

  • 9. 2.2.1. Windows WPS to WPA/2 Is easy to do this under Windows (in the example a 10 version). We only just need to choose the desired wireless, click in Connect the WPS compatible AP, will aware you as seen in figure 2 then the state automatically changes to establishing connections/get configuration from router because TV is under Walk Time period. Figure 8: Windows 10 Wireless Manager aware acquiring network configuration through PBC You can read in Spanish “Obteniendo configuración del enrutador” (in English means getting router configuration). That’s all to complete the connection with the respective compatible client. What is happening between the communication of the client and AP when is establishing/negotiate to “be part of the network member”? A capture, with the help of airodump-ng in the same channel where AP operates (capturing all possible relations between computer & TV) was done. Also, we took a cleaning (or good filter) taking the relevant packets that describes the situation. 9

  • 10. Figure 9: Connection establishment WPS schema The diagram of the figure 9, shows the different requests and responses messages represented by the arrows lines. The order of the petitions starts at top and ends with last line. There are a total of 37 packets. Laptop generates 18 (coming from) and TV 19 respectively. 2 beacon packets at the beginning are from TV, the first beacon is indicating their network capabilities, the second beacon is same plus PBC because TV is putting in “pair” mode. The packet number 3 is the moment when laptop decides to start the joining process. If we do a measurement of time between the packet 3 and the last packet number 37, we have 2,072406 seconds (taking our saved .cap file as origin, this may be varied depending on some conditions). We won’t enter in more detail about the composition of every packet of the sequence (out of scope in this paper) but 2 important parts can be denoted from first Probe Request to the other. One is about the WPS transactions and the other about the WPA/2 key procedure (famous/AKA 4-way handshake). This situation of the connection establishment must be compared with a real situation to explain little better. Imagine at your new acquired work, someone of the IT team brings you the temporarily password in a small piece of paper and you hook it in a computer deployed by the company until finalize the consolidation of the password. The password in paper is like WPS and the final password, that you supposed to choose final & changed, is the WPA/2. 10

  • 11. Now, a good question could be… How can we connect a non-compatible device with a WPS network style? Retrieving the WPA/2 password that always exist in background. In fact, the WPS is not the final key who lives/resides in perpetual mode, it’s only an intermediary to obtain the credential for the encryption of the communication of the link between client/station and AP. How to do this? In Windows exist 2-way. - Live WPA/2 GUI Way: This is easiest and can be done all through graphical interface, but the only drawback is that it can only be done during the connection to the Wi-Fi network (not works if client is disconnected). Enter to the Connections/Adapter Options and then follow the below figure steps… Figure 10: Windows 10: Network Connection/Adapter Options. Showing Wi-Fi Password during connection Double click on Wi-Fi adapter – Wireless Properties – Security tab. After pressing Show characters password appears. Note: An elevated credentials are needed to show the password when tick the box. - OFFline WPA/2 CLI Way: If the connection against SEC_LinkShare_XXXX network was successful using wireless manager, password is stored until you decide to forget it. This is the one line in CMD to show the password: netsh wlan show profile SEC_LinkShare_* key=clear 11

  • 12. Figure 11: Windows 10: Showing the WPA2 password with netsh tool The SSID can be typed partially and ending with an asterisk (*) to autocomplete the rest of the Wi-Fi network if you don’t remember entirely and to avoid the use of another command to show the saved profiles. 2.2.2. Linux WPS to WPA/2 A Kali Linux distribution was used for this purpose: 12

  • 13. Figure 12: Kali Linux; showing the detailed version We prefer inserting the corresponding version just in case these commands differ if another edition (Kali distribution) is used (old or newer). Two processes are mandatory and executed in separate command line windows, wpa_supplicant and wpa_cli will be our toolchain. But first, need to stop any process that can be conflicting with the help of airmon-ng (also used to put an interface into monitor mode). Figure 13: Kali Linux: Killing Wi-Fi processes A configuration file must be created before starting, this is like a “cue file” for wpa_supplicant with the minimum setup. Figure 14: Kali Linux; Creating the .conf file for wpa_supplicant Following the good standards (or best practices) the .conf file name is called wpa_supplicant.conf and saved in a recommended path [8]. With the help of echo command, the file can be created “on the fly” and 2 lines are needed: ctrl_interface; Tell to use wpa_supplicant mechanism 13

  • 14. update_config; Allows to save the key WPA2 passphrase in the wpa_supplicant.conf file. Last line commands are for invoke/initialize the wpa_supplicant with a pair of parameters. -i; Choosing the interface which wpa_supplicant is going to move from. -c; Choose and location of the .conf file. Is all ready to use the second tool in a separate window, the wpa_cli [9] Figure 15: Kali Linux; Complete steps to the connection of a WPS-PBC network 14

  • 15. As the WPS Wi-Fi network is PBC type, indicating the first command observed in the above figure, it’s the only necessary. Joined to the wireless without an IP? OK… Staying under the TV Wi-Fi umbrella is one thing, other thing is the way how to obtain this configuration with the help of other tools, wpa_cli tool will not do for you but don’t worry, the dhclient comes by default and you will retrieve an IP fastly from the DHCP server of the TV! After that, a check can be carried out with a simple ifconfig issuing. All command steps are optional except for the first one of the wpa_cli. If result was OK, password can be retrieved showing the content of the wpa_supplicant.conf. Cat tool reveals the psk line. 2.3. Host offerings to Guests Generally, when you are invited by a friend or other person in their home, is common (in many situations) that they offer you something to drink or eat as a gesture of thanks. What TV AP is offering? Let’s look at the network parameters! Figure 16: Windows 10; ipconfig/all showing the network Wi-Fi interface parameters It delivers a DHCP service that provision with the IP 10.123.12.128 (if you are the first device which requested for a connection). Is a /24 class C IP range. Gateway and DHCP server are the TV IP which hangs the services in same container but… the DNS server is different, why? It has an explanation. According to the article mentioned before in chapter 1 & 2 [3], TV can act as a router. To convert it, the Ethernet interface must be connected to another router so, DNS is the same as the router connected. A small test can be done to figure this out (pinging to google is more than enough to check internet connectivity). 15

  • 16. Figure 17: Smart TV architecture acting as router Situating in above figure, P1 is a device under the TV network and P2 is under the home router user network. P1 can contact directly with P2 but not in reversal way (P2 cannot go to P1 “by default”). TV is between the 2 networks and has enough information to route packets to the Ethernet part doing a NAT (it means, P2 can see the IP 192.168.1.X Ethernet TV interface). Unless a route exists in the router (who has 192.168.1.1 IP), P2 will not be able to reach P1. 3. D o S Attack It can be said that the attack appears suddenly magically by tools designed to test the vulnerabilities of WPS. The objective of them is looking to get WPA key by brute forcing the first & second stage of PIN code (a total of 8 digit). An offline brute force of the pin is possible with the discover of Dominique Bongard [10], another tool was born called pixiewps (“pixie-dust attack”) [11]. Due to their efficiency, was implemented under modified version of Reaver [4] and also implemented in Bully [12]. We are going to use both (Bully and Reaver respectively) to do a comparison of the performance and the time it taken. Is important to mention that first intention of this was test the security against Smart TV, WPA2 password is not possible to be retrieve under any of these tools because instead of this, it gets rebooted again and again! Let’s check the model and versions of the TV and computer used for these DoS attacks. TV: - Model Code: UE40D7000 - Software/Firmware Version: T-GAPDEUC-1033.2 16

  • 17. Figure 18: Smart TV: Model and Software version under Contact section These parameters can be retrieved in the TV’s Menu. This is the last firmware known. Computer/Laptop: A Kali Linux ISO 2020.4 running in Live mode, same that exposed in figure 12 of the chapter 2.2.2. How to figure it out there is a vulnerable Smart TV before starting the attack? Put the WiFi interface into monitor mode first… Figure 19: Kali Linux; Airmon-ng tool: Putting interface into monitor mode Then, wash tool will tell you how (part of the tool Reaver [4] pack). Figure 20: Kali Linux; Wash tool to scan for WPS AP’s SSID is the key parameter to be aware around you, we use grep to do a clean filter in search of what is necessary and essential. Putting WPS as part of the filter, the word is marked in red on column to use as a guide. 17

  • 18. The rest of the show (Proof of Concept) continues with the inspection and use of the tools. 3.1. (pixied) Bully This tool doesn’t seem to be as famous as the other, reaver but has their own look and feel showing a bulldog as a logo in Kali Linux tools [13]. This is a targeted attack so in order to start fast, BSSID and channel must be known. Figure 21: Kali Linux; Bully tool in action The command bully is written in terminal with 3 parameters: -b: BSSID (or MAC of the AP). -c: The channel where Access Point is working. -v: Verbosity, will show you more info if the level established is set to maximum (in that case, 4 is the maximum). wlan0mon: The interface after “be converted” into monitor mode. Last lines show a column indicating “timeouts” means TV doesn’t answer in proper time. Before start the first Rx(Beacon)… line, TV was rebooted. Why not measure these times, right? 18

  • 19. 3.1.1. Videometer On a race, to put and identify order in the positions, measurement tools/techniques are used. Depending on the precision imposed by the race type, you can use a physical stopwatch (typical function included in most wristwatches) or more sophisticated professional grade tools. How can we use a stopwatch for a PoC? I like to make videos showing PoC’s with a little cinematic touch. I realized at same time it helps you so much to do measurements representing different involved objects in same screen video. The trick consists in sync different recordings (for example, one under laptop, other recording TV screen directly). Figure 22: Measurement techniques using a video editor For joining process, join “all the pieces”, we use a video editor. Here there are 2 recordings. The screen of the laptop that runs Kali Linux and the TV screen (with the help of a smartphone for example). The stopwatch helps on to be precise on certain moments you want to catch if you have the intention do some statistics/analysis at the end. I know you can have questions like… Is the stopwatch coming by default? Maybe but, in my case, I need to create an -insert as a video-. The small square of the StopWatch is taken recording the screen of an Android device, then need some work to fit and flatten the video in the project. You don’t need to have hard skills on that, only have some patience and make sure to synchronize all the parts and start the timer at the moment you think is right. I named this as videometer because, doing similar work without the help of a video editor, it doesn’t give you the vision you need (or at least I didn’t achieve without this support) … And no, this isn’t only an image or type of collage ;) you can see this edited video here: https://youtu.be/MdIT4mPTX3s 19

  • 20. 3.1.2. PostMortem We describe the results after implementing the measurements with the “videometer” technique. Time Log: - 0:00,00 START DoS Attack - 0:14,35 TV is Rebooted - 0:22,89 TV is Operating Normally - 0:42,67 WiFi is ON (Throwing Beacon frames) - 1:02,42 TV is Rebooted Again Stopwatch started at same moment of pushing “enter” in keyboard to start the Bully tool. The idea was to know how much time it takes to reboot, to up and running again, when Wi-Fi is discoverable again (through the beacons frames) and see in what time is produced the second reboot. As observed, some conclusions can be extracted (or just out of curiosity). TV was ON when DoS attack was started. The first reboot takes less than a minute to reboot (14,35 seconds). The second reboot takes more time in comparison the first reboot, 39,53 seconds from the TV was operating normally, so 39,53 – 14,35 = 25,18 more seconds than first reboot. Interactions Diagram: We know how are the interactions under a normal WPS bonding between a client and AP (seen in figure 9) but… what are the interactions (requests/responses) driven by the tool? We recorded traffic with airodump-ng in order to create a .cap file, and this is the result. 20

  • 21. Figure 23: Interaction Diagram between laptop & TV under Bully attack The general difference in comparison with figure 9 is that at the beginning of the petitions, there is no beacon frame reflected nor the probe pair. This is because client, Bully, doesn’t seem need any beacon frame to start the attack because it knows the BSSID and channel (acquired from many ways, in that case through wash tool). However, according to what can be seen in the tool’s log, it makes sure to receive a beacon before starting the attack. The DoS attack produces when EAPOL packets thrown. After the request identities, TV has the “poison inside” and it’s a matter of time before it falls. Under this period, more packets are sending (showed in red). Is like a boxer when is on the ground and the countdown starts. The WSC_NACK tries to get configuration from AP. Under this state [14] the rest of packets enter into a sequence and/or a loop, 6 packets in total, they are: Deauthentication, Authentication x2, Association Request-Response and EAPOL – Start. As we had the .cap we have the ability to do more things and decided to take a graphic/diagram using this function into Wireshark [15]. On a traffic packet inspection, is highly recommended filter for what needed, however, graphics can say things not seeing easily by text only mode. 21

  • 22. Figure 24: Wireshark: I/O Graph of Bully attack until first TV reboot They give us a clear behavior and it denotes that follows a certain pattern. The Y axis is number of packets compressed in a half of a second (500 milliseconds). Each portion are 2 packets. Max packets reached = 46. The X axis is about the time expressed in seconds. Each portion is 0,5 seconds. Total time is no more than 17 seconds. What colors, dots and lines means? In case of Bully, we distributed the packets in 4 sections. Each section we applied a Wireshark display filter to be part of the graphic. The legend is; - Black line: All displayed packets of the attack. The filter applied is; frame.number>=xxx && frame.number<=xxx && ((wlan.addr == e4:e0:c5:xx:xx:xx && (wlan.addr == f0:d5:bf:xx:xx:xx || wlan.ra == ff:ff:ff:ff:ff:ff)) || (!wlan.ta_resolved && (wlan.ra == e4:e0:c5:xx:xx:xx || wlan.ra == f0:d5:bf:xx:xx:xx))) We cut unwanted frame numbers at the beginning and at the end with frame.number filter expression. The !wlan.ta_resolved for showing acknowledgments packets that has not presents the source address but count as packet for other analytic purposes. - Green line: Beacon frames that comes from Smart TV. The filter applied is; wlan.ta == e4:e0:c5:xx:xx:xx && wlan.ra == ff:ff:ff:ff:ff:ff - Blue dots: Is a pack of deauthentication, authentication (request & response), association request and association response respectively. The filter applied is; wlan.fc.type_subtype == 0x000c || wlan.fc.type_subtype == 0x000b || wlan.fc.type_subtype == 0x0000 || wlan.fc.type_subtype == 0x0001 - Garnet dots: EAPOL packets (including EAP). The filter applied is so simple and short (1 word!); 22

  • 23. eapol Let’s look for some deductions but something doesn’t seem to fit at the beginning of the graph… Why at 0 seconds there are already packets? This type of Wireshark graphic uses each second at their maximum profit it means, the 0 it’s taking its limit, before next half-second sequence that is 0,5 so 0,4 (for example) is counting as “0” that’s the reason to show packets at 0 time. To show graphic clear as possible, lines express max limit or continuous amount of packets like the beacon frames. Now so… reading it from the beginning, the commands to produce the attack takes less than a half of second, more blue packets than garnet but, goes together. The garnet dot at second 10 is the EAP - Response, Expanded Type, WPS, WSC_NACK packet before send another cycles. In that moment, “TV is dying” and pattern repeats 3 times with their respective high blues & low garnets with the same number of packets in each and same distance in time. Blues has a pair of less packets than at 0 second, garnets are only 2 packets, telling us the attack is trying to send but there is no answer from AP. Last pack of blues & garnets before TV reboots are equal at packet number (for each one) but there is more distance in comparison with their previous pack. 3.2. (bits) Reaver The only one tool to deal with WPS until Bully appears. The invoked commands are very similar. Figure 25: Kali Linux; Reaver tool in action The differences respect Bully are the representation of the interface and the verbosity: -i: Interface to perform the attack, wlan0mon is the wlan0 under monitor mode. -vv: The verbosity, putting another “v” show more detail (in this case with 2 v’s is more than enough to not distortion with unneeded packets). 23

  • 24. The tool log reflects every step (like Bully) thanks to the verbosity option. 3.2.1. Time Thief The same procedure is carried out as with the previous tool. We use same method as “videometer” seen in chapter 3.1.1. Time Log: - 0:00,00 START DoS Attack - 0:20,17 TV is Rebooted - 0:29,72 TV is Operating Normally - 0:49,10 WiFi is ON (Throwing Beacon frames) - 1:08,23 TV is Rebooted Again Let’s take some conclusions observed in that case. Track the “zero” moment as well. First reboot takes less than a minute (20,17 seconds). Second reboot still takes more time than first with 38,51 seconds, so if we do 38,51 – 20,17 = 18,34 extra seconds than first reboot. Interactions Diagram: We follow the same methodology like with Reaver tool under petitions perspective. Figure 26: Interaction Diagram between laptop & TV under Reaver attack The feeling it gives is that it is simpler since there does not seem to be more interaction packets between those involved. It’s true, diagram is shorter than the captured with Bully but we didn’t put all the repeated packets in place to not to distortion the graphic. 24

  • 25. Later in the Wireshark I/O Graph, we can see a bit deeper in packet context vs time taken. The start sequence of requests-responses is equal than Bully but, a new packet is introduced and different (not seen in Figure 23). This is an action packet that has as a mission block the acknowledges, what it means and what role does it play here? Block Ack is intended to be more efficiency avoiding so many ack packets and instead, be put all of them in one frame [16]. This must be negotiated between two parties, here exist a request but not a respond/answer from laptop so the mechanism didn’t initiate. Into the DoS phase, there is only a pair of EAP request-response reflected but here are ellipses, meaning the pair is repeating into a loop until TV is rebooted. The mechanism is simpler, short but intense. It’s the Wireshark I/O Graph turn! Figure 27: Wireshark: I/O Graph of Reaver attack until first TV reboot The description is the same as seen in figure 24. In order to do a fair comparison. The size of the graph is the same, as well as the number of packets per half second. Here the max packets are 301 and total time is no more than 21 seconds. The legend is almost the same but plus Action (Block Ack) packets; - Purple line: Action – Block Ack packets. The filter applied is; wlan.fc.type_subtype == 0x000d && wlan.addr == f0:d5:bf:xx:xx:xx We can see differences in how the software’s manage the packets through the time. Note: In order to present same type of data in each software case, the SWL function of the TV was reset (turn OFF – turn ON) and TV turned OFF and ON to stay sure there were not something in memory, buffer,… 25

  • 26. The axis Y denotes a higher number of packets that Reaver need to waste for the DoS attack. Number of EAPOL packets is higher. For the blue group, only appears at the beginning while purple goes forward and garnet packets are present all the attack as if these were beacon frames (almost all the time goes in same line of beacon takes). Garnet has two well differentiated peaks. First high takes about 180 packets at 4,5 seconds. Second at 11,5 seconds with 220. 7 seconds and 40 more packets of difference. Other curios observation, just after the first high peak, garnet seems to lose some power. Second peak has more sense, seems is reactivating at the second 11 to get more potential at half of a second more (11,5 seconds). From second 12 until the end, garnets are linear. 4. Conclusions We have seen both tools have similarities, we have unintentionally discovered a “hidden function” the DoS that tools can do to this Smart TV. According to the tests results, seems Bully is programmed/coded to do a somewhat cleaner job of fiddling with WPS making less noise “in the air”. Thanks to the traffic sniffed, inferences can be made without the need to inspect the source code of the tools. Video techniques measurements, interaction diagrams and I/O graphs are good to determine and take a decision for a winner. We took the trouble to make a final comparison by putting both tools “on the table” to increase clarity in their times. 26

  • 27. Figure 28: Time comparison between Bully & Reaver Some explanation is needed before commenting on this schematic graph. At top level, time object can be found, positioning at the middle, taking 0 seconds count (the start). There are 2 separated columns. Left is the timeline of Bully and right same for Reaver. We created the following group colors to have an easy visualization of the situation; - Red: First TV reboots. - Blue: When TV wake up after the first reboot (showing images & sound in screen). - Green: Beacon frames spreading again after the normal operation of the TV. - Orange: Second reboot time. When an action is taken (either from one tool or from the other), the time column takes note of the time. At same moment, the action of each tool gets the timestamp from the previous action putting nearest of the time column. If the time is situated in same column of the tool, the timestamp reference is against their previous action. The 27

  • 28. different color indicates the color of the previous action. When the time is in the opposite column (having two times) means the additional more time respect the previous category (actual time less previous category). The things that can be seen in overall view of the diagram are the total time for both, ends at similar time, differs from 5,81 seconds making Reaver a few slow than Bully. The almost same difference it produces at the beginning, in first reboot, time differs from 5,82. In all cases Reaver takes more time in each action respect Bully but respect their own previous action, Reaver takes less time in orange and green categories. One important lesson to learn here is you should not activate functions which behavior is unknown or/and not used. Unless it is to carry out research of this kind, as a user of a product not manufactured by yourself, it is better to use those parts of which you have knowledge. Does it mean the fault is yours? Oh, of course not… This is just a way to mitigate issues that are not easily resolved by third parties. We understand these devices have a useful life, but what if life gives them a break like a human being who can reach his hundred years and more? Would you leave your relative banished at a predetermined age even though his health is good? We believe that the answer here is more than implicit right? If this is clear enough, why not apply same for devices? We know there is no comparison, but it deserves some kind of fix to cure that annoyance. We tried get the password remotely but with the pair of tools mentioned had no luck, so at less, nobody can retrieve your WPA2 “non-changeable” password (don’t forget WPS born insecure, Stefan Viehböck make it publicly [17]) but, you need take into account that… if you have the Ethernet interface connected to your home router (according to the chapter 2.3) your home router’s network is accessible from Smart TV network (if you trying to isolate, using the TV AP isn’t good idea!). Back to the DoS attack, we demonstrate the effectiveness recreating it by taking it to a possible cybercrime scenario into a multimedia format (video of chapter 3.1.2). A mother and her son are watching cartoons and suddenly TV is malfunctioning. The mother may think there is a failure on television. TV is old and official manufacturer’s technical support will no longer take over so mother, most probably, takes the decision to buy other (perhaps changing brand and manufacturer, losing their trust). She doesn’t know that the failure was caused by a cybercriminal… In all tests, we were aware for the channel changing, sometimes can be 1, others is number 11, this doesn’t happen on all TV reboots but casuistry can happen (the video only reflects against same channel without stay ready for TV’s AP channel change). Are the tools the ability to switch from one channel to other in case it happens? Yesss! Your tool is Bully and the command will look like this; bully -b E4:E0:C5:XX:XX:XX -c 1,11 -v 4 wlan0mon The solution for citizens is easy, disable the SWL TV’s functionality but we think manufacturer should do their part, handle these internal errors correctly, be resistant to a DoS WPS PIN attacks. It surely would increase their reputation and can also serve as a 28

  • 29. good marketing strategy against your competitors. It should be an honor for them the product can still be standing, a sign that they do things very well. Remember… Be Good, Be Hackers. 5. References [1] E-MANUAL - 01_ENG_GPDVBEUA-0106.pdf; Page. 93,111. https://downloadcenter.samsung.com/content/UM/201201/20120128101809663/01_EN G_GPDVBEUA-0106.pdf [2] VDB-12842 | Samsung TV SSID Authentication improper authentication. https://vuldb.com/?id.12842 [3] Samsung Wireless Link security hole | Jumping Spider. https://jumpingspider.co.uk/rants-2/samsung-wireless-link-or-wtf-is-sec_linkshare [4] GitHub - t6x/reaver-wps-fork-t6x. https://github.com/t6x/reaver-wps-fork-t6x [5] Wi-Fi Protected Setup Specification; Page. 94 -11.3 PBC Technical Description-. https://www.wi-fi.org/file/wi-fi-protected-setup-specification [6] SEC_LinkShare SSID is from your Samsung TV: SWL (Samsung Wireless Link). https://wiert.me/2011/07/04/sec_linkshare-ssid-is-from-your-samsung-tv-swl-samsung- wireless-link [7] Wi-Fi Easy Connect | Android Open Source Project. https://source.android.com/devices/tech/connect/wifi-easy-connect [8] Wpa_supplicant – ArchWiki. https://wiki.archlinux.org/title/wpa_supplicant [9] Wpa_supplicant and Wi-Fi Protected Setup (WPS). https://w1.fi/cgit/hostap/plain/wpa_supplicant/README-WPS [10] Offline bruteforce attack on WiFi Protected Setup (slides). http://archive.hack.lu/2014/Hacklu2014_offline_bruteforce_attack_on_wps.pdf [11] GitHub - wiire-a/pixiewps: An offline Wi-Fi Protected Setup brute-force utility. https://github.com/wiire-a/pixiewps [12] GitHub - kimocoder/bully: Bully WPS Attack Tool. https://github.com/kimocoder/bully [13] Bully | Kali Linux Tools. https://www.kali.org/tools/bully [14] Wi-Fi Protected Setup Specification; Page. 109 -Configuration Error-. https://www.wi-fi.org/file/wi-fi-protected-setup-specification [15] Wireshark. 8.8. The “I/O Graphs” Window. https://www.wireshark.org/docs/wsug_html_chunked/ChStatIOGraphs.html [16] CWAP - 802.11 : Block Ack | mrn-cciew. https://mrncciew.com/2014/11/01/cwap- 802-11-block-ack 29

  • 30. [17] Brute forcing Wi-Fi Protected Setup. https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf 30

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907